Digital forensic tools dig up hidden evidence faster

Government investigators and law enforcement officials filtering and searching for forensic evidence on computers can be overwhelmed by the frequency and complexity of digital investigations.

AccessData, a developer of stand-alone and enterprise-class digital investigation tools, has added features to its Forensic Toolkit that offer greater visibility into digital elements and artifacts left on computers to help ensure evidence is not missed.

Forensic Toolkit (FTK) version 5.1 now includes native support for Microsoft’s Volume Shadow Copy (VSC), a technology that allows taking manual or automatic backup copies or snapshots of data at a specific point in time over regular intervals.

Now investigators can “easily identify and quickly examine ‘digital artifacts’ across different points in time, while leveraging all of the advanced features of FTK,” said Brian Karney, AccessData’s COO and president.

"[VSCs] are extremely useful in digital forensics,” said Neil Broom, laboratory director of the Technical Resource Center, an American Society of Crime Laboratory Directors Accredited Lab.

“Using VSCs, we have successfully proven that spoliations had been attempted on a hard drive through the use of anti-forensics tools (i.e. CCleaner),” he said in an AccessData statement.

“After CCleaner was run, the hard drive showed no evidence of the proprietary data we were looking for. After examining the VSCs, we were able to recover destroyed Registry files that proved the proprietary data had been accessed on that computer. The VSCs showed a ‘snapshot-in-time’ of when these files were active on the hard drive and when they were deleted,” said Broom.

In addition to retrieving metadata for deleted files, VSC analysis with FTK provides a point-in-time history that serves as a chronology of how documents, user activity, programs and other artifacts have changed over time. For example, this could reveal relevant evidence that resided in a document at some point in the past but was intentionally changed and would not be recoverable any other way – a major stumbling block in digital investigations.

The latest version of FTK also includes evidence geomapping, a new data visualization feature, which allows investigators to see on a map the geographic location of evidence items containing geocoded information.